Data Protection Policy

Data Protection Policy

Glossary

1. Introduction

In order for Durham University to deliver its core learning and teaching functions, operate effectively as a business and meet legislative, contractual and statutory obligations, it needs to process personal data relating to present, past and prospective students, employees, alumni and supporters, suppliers, research subjects and others with whom it has dealings. The University is a data controller and therefore must comply with data protection legislation.

2. Purpose

This policy helps provide the demonstrable commitment to, and support of, compliance with data protection legislation by the University Executive Committee. This policy also helps support the University Strategy, since delivery of our core functions is reliant upon accurate, available and usable personal data and the trust of our stakeholders. Compliance with data protection legislation also enables efficient working practices and resource savings and significantly reduces the likelihood of an information security breach and its wider effects including causing harm/distress to data subjects, reputational damage, large potential fines and undertakings from the Information Commissioner.

3. Scope

This policy applies to all those individuals and organisations that process personal data on behalf of the University, including but not limited to:

Employees, consultants, contractors and temporary workers

Students undertaking a programme of study and also students performing paid or voluntary work for the University

Third parties associated with the University, such as research collaborators.

4. Policy Statement

Lawful processing of personal data is vital to the successful operation and reputation of Durham University, and for maintaining the trust of our students, employees and other stakeholders. The University is committed to protecting the rights and freedoms of individuals in accordance with the provisions of data protection legislation. In order to achieve this, the University shall ensure that personal data is handled appropriately and consistently.

Durham University shall ensure that personal data is:

Processed lawfully, fairly and in a transparent manner in relation to individuals

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data shall be stored for longer periods insofar as the personal data shall be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Durham University, as a data controller, shall be responsible for, and be able to demonstrate, compliance with the principles of data protection legislation.

All processing of personal data by third parties on behalf of the University, where the University is data controller, shall be covered by contract and include adequate data protection clauses.

5. Sharing of Personal Data

Ensuring that personal data is shared appropriately is vital to the successful operation and the reputation of the University, and for maintaining the trust of our employees, students and other stakeholders. In order to achieve this, the University shall:

Undertake a data protection impact assessment screening for any new initiatives that involve the sharing of personal data. Where sharing is likely to result in a high risk to the rights and freedoms of natural persons (particularly where new technology is involved) a full data protection impact assessment shall be completed.

Identify a clear objective, or set of objectives, for the sharing of personal data

Identify a lawful basis in data protection legislation for the sharing of personal data

Ensure that the sharing of personal data is necessary to achieve the identified objective(s). Anonymised or pseudonymised data shall be shared where the identification of data subjects is not required

Share the minimum amount of personal data required to achieve the objective(s)

Provide data subjects with privacy notices and, where data subjects have a choice, seek consent for the sharing of their personal data

Clearly distinguish factual information from opinions

Record all decisions to share personal data

Ensure that a written agreement between the parties to a data sharing arrangement is in place where personal data is shared on a systematic basis or there is a large scale transfer of personal data. Such agreements shall, as a minimum, include:

The classes, or specific items, of personal data to be shared

The source(s) of the personal data

The objective(s) of the data sharing arrangement

The lawful basis for sharing the personal data

The individuals/groups that will have access to the personal data

The methods by which the personal data will be transferred, including any controls for protecting the data from loss, destruction or unauthorised access

The frequency with which the personal data will be shared

Storage requirements for the personal data, including any controls for protecting the data from loss, destruction or unauthorised access

The parties’ responsibilities for ensuring the accuracy of the personal data

Retention and disposal requirements

Arrangements for enabling data subjects to exercise their rights

Processes and procedures for handling information security incidents.

6. Appointment and Support of the Data Protection Officer (DPO)

The University shall designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. The University shall enable the effective performance of the DPO’s tasks and ensure that the DPO is given sufficient autonomy, time, resources and support to carry out their tasks effectively, including active support by senior management.

The University shall also ensure that the DPO is ‘involved properly, and in a timely manner, in all issues which relate to the protection of personal data’, that the opinion of the DPO is given due weight and that the DPO is consulted promptly once a data breach or another incident has occurred.

7. Roles and Responsibilities

7.1 University Executive Committee shall ensure that the purposes and means of processing of personal data for which the University is data controller are determined in compliance with legislation.

Responsibility for ensuring implementation of, and compliance with, this policy will be in accordance with the University’s line management structure.

7.2 All individuals and organisations that process personal data on behalf of the University shall comply with this policy and associated data protection, information security, information management and information technology regulations, policies, processes and procedures.

7.3 The Data Protection Officer (DPO) is an advisory role and is concerned with the University’s compliance with data protection legislation. The DPO shall:

play a key role in fostering a data protection culture within the University

help implement essential elements of data protection legislation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing and notification and communication of data breaches

review the planning, implementation and progress of the University’s data protection initiatives periodically, reporting to Council

advise the SIRO in relation to any breaches of data protection legislation

be the University’s point of contact with the Information Commissioner’s Office.

The DPO shall not determine the purposes of processing personal data, or the means by which any personal data processing activity is done.

7.4 The Senior Information Risk Owner (SIRO) is an accountable role and is concerned with the management of all information assets held by the University. With regards personal data, the SIRO shall have overall responsibility for:

the processing of personal data (of which the University is data controller) in compliance with data protection legislation, including the appropriate determination of the purposes of processing personal data, and the means by which any personal data processing activity is done

ensuring that the DPO is involved properly, and in a timely manner, in all issues which relate to the protection of personal data, that the opinion of the DPO is given due weight and that the DPO is consulted promptly once a data breach or another incident has occurred.

managing the implementation of essential elements of data protection legislation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing and notification and communication of data breaches

managing the response to breaches of data protection legislation

ensuring that an effective monitoring and reporting framework is established with regards data protection compliance, and that information asset owners and super information asset owners are designated, perform their roles and report regularly on data protection compliance in relation to their respective information assets and business units

ensuring that no individual is given access to personal data without having undertaken appropriate training and read relevant policy and guidance.

The SIRO shall also play a key role in fostering a data protection culture within the University.

7.5 Information Asset Owners shall:

ensure that personal data held within their respective business units are processed in compliance with this policy

identify and manage data protection risks within their respective business units

no individual is given access to that personal data without having undertaken appropriate training and read relevant policy and guidance

ensure that local processes and procedures are developed, implemented, followed and regularly reviewed

monitor and report on compliance in their business units as required by the University.

7.6 Super Information Asset Owners shall:

ensure that personal data comprising Major Information Assets are processed consistently in compliance with this policy

identify and manage data protection risks for their respective Major Information Assets

ensure that no individual is given access to that personal data without having undertaken appropriate training and read relevant policy and guidance

ensure that consistent local processes and procedures are developed, implemented, followed and regularly reviewed

monitor and report on compliance in relation to Major Information Assets as required by the University.

7.7 Third parties processing personal data on behalf of the University shall comply with this policy alongside any specific terms and conditions agreed contractually.

8. Breaches of Policy

All breaches of this policy and data protection legislation shall be reported immediately in accordance with the University Information Security Incident and Weakness Reporting Procedure. It may also be appropriate to report the breach in accordance with the University’s Public Interest Disclosure (‘Whistleblowing’) Policy.

Third parties shall report via their University point of contact. Breaches shall be managed in accordance with the University Information Security Incident Management Procedure.

A breach of this policy by an employee or student may result in disciplinary action. A breach by a third party may result in a termination of contract and/or compensation claim.

9. Policy Review and Maintenance

This policy shall be reviewed by the University’s SIRO and DPO annually or whenever there is a significant change in legislation, strategy or organisation. Major changes shall be approved by UEC.